Client certificate for browser authentication (X.509)

Airlock IAM can authenticate users by verifying X.509 client certificates.

A client certificate can be used in the SSL handshake by the browser to authenticate the user already while connecting to the server.

Client certificates can come in different forms:

• from a smart card (used with a smart card reader)
• from a USB or another device
• as a software certificate installed in the browser (less secure)

• Browser: has access to client certificate and uses it in SSL handshake
• Airlock Gateway: asks for client certificate in SSL handshakes
• Verifies that client certificate issuer is trusted
• Verifies signature on client certificate
• Verifies validity period of client certificate
• Airlock IAM: receives client certificate information from Airlock Gateway
• Verifies validity of client certificate with external CRL or OCSP server
• Maps client certificate to a user or extracts user information from certificate
• Takes into account the user account status (e.g. locked), the user's roles, and other information.